CVE-2026-2605
Received Received - Intake

Sensitive Information Exposure via Log Injection in TanOS

Vulnerability report for CVE-2026-2605, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-20

Last updated on: 2026-02-20

Assigner: Tanium

Description

Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-20
Last Modified
2026-02-20
Generated
2026-07-06
AI Q&A
2026-02-20
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
tanium tanos From 1.8.4 (inc) to 1.8.4.0249 (exc)
tanium tanos From 1.8.5 (inc) to 1.8.5.0282 (exc)
tanium tanos From 1.8.6* (inc) to 1.8.6.0150 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2605 is a medium-severity vulnerability in TanOS that involves the insertion of sensitive information into log files.'}, {'type': 'paragraph', 'content': 'Specifically, an attacker with access to TanOS syslog output can obtain the temporary password of a TanOS user whose password was recently reset.'}, {'type': 'paragraph', 'content': "This temporary password is valid only from the time of the reset until the user's first successful login."}] [1]

Impact Analysis

An attacker who can access TanOS syslog output can retrieve temporary passwords of users who recently reset their passwords.

This could allow unauthorized access to user accounts during the window between password reset and first login.

Since the vulnerability exposes sensitive authentication information, it increases the risk of account compromise.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves the insertion of sensitive information, specifically temporary passwords, into TanOS syslog output. Detection would involve inspecting the TanOS syslog files for the presence of temporary passwords issued after a password reset.

However, no specific detection commands or tools are provided in the available information.

Mitigation Strategies

The only effective mitigation is to upgrade TanOS to a fixed version. The fixed versions are Update 21 (v1.8.4.0249) or later for the 2024H2 release, Update 14 (v1.8.5.0282) or later for the 2025H1 release, and Update 5 (v1.8.6.0150) or later for the 2025H2 release.

No workarounds or other mitigations are available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2605. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart